The True Cost of a Cyber Attack

img blog The True Cost of Cyber Attack r1

Recently, Brett Gallant, Adaptive’s fearless leader, made a short video about the staggering cost of a cyber attack for the parent company of the Sobeys grocery store chain – a whopping $25 million dollars.

According to excerpts from a recent article by the CBC, they wrote, “Empire estimates that the financial impact on fiscal 2023 annual net earnings will be approximately $25 million, after expected insurance payouts. The report, however, does not clarify the nature of the attack; whether it was ransomware, or if any ransom was paid.

That number includes loss-of-product and direct costs such as information technology, professional expenses, and legal expenses. Empire said it has cyber insurance, but there may be a lag between ‘the incurrence of costs and confirmation of insurance proceeds.’

The company owns 1,500 stores across Canada, including Sobeys, Lawtons, IGA, Safeway, Foodland, FarmBoy, Needs, and other grocery outlets.

Employees have told CBC News the cyberattack did involve ransomware and caused turmoil at Empire-owned stores across the country. Staff at in-store pharmacies were unable to access their computers to fill prescriptions for several days following the attack, and some outlets ran short of items.

The company is still investigating whether customers’ personal data was stolen in the attack. If it finds data has been removed, it will take steps with privacy regulators and impacted individuals, it said.

Sobeys was hit with what it now calls a ‘cyber security event’ on Nov. 4. It was previously described as an ‘information technology systems issue.’

Empire says cyber security experts were immediately hired, the source isolated, and measures were taken to prevent further spread.

Pharmacy services were shut down for four days. Self-checkouts, gift cards, and points were impacted for about a week, the company said.

Empire CEO Michael Medline said the company’s initial press release ‘Was as specific as we could make it due to security reasons.’ He refused to provide any more details, saying, ‘We will not elucidate further on this subject beyond these prepared remarks in our published disclosure’.”

Bear in mind, that was a single cyber attack, against a single company, based in Stellarton, Canada. Just imagine how much cyber attacks are costing all of North America, not to mention the rest of the world. 

Speaking of the world… according to Cybersecurity Ventures, they predicted that by the end of 2022 the expected cost of cybercrime globally is 6 trillion dollars, and this figure is expected to go as high as 10.5 trillion dollars in 2025. 

They went on to report: The cybersecurity industry has quite a huge skill gap, resulting in about 3.5 million unfilled jobs in 2021. 

***So, If you don’t already have a cyber security expert protecting your business, it would be wise to hire one before it’s too late.

The Costs of a Cyber Attack for SMBs

In excerpts from a fantastic article by swktech, they wrote, “This article will drill down into the particular costs that can result from a cyber attack for SMBs specifically, including both direct and indirect damages. 

It is clear that the aftermath of a breach can become quite expensive, but preventative measures can limit the impact tremendously. Multiple reports reveal that prepared businesses saved between 30% to 80% in recovery expenses – numbers that can make the difference for a small business, especially considering how many came close to, or had to, completely shut down after being breached.

Here are a few examples of the costs that come with a cyber attack against SMBs, and how your business can control them:

Direct Costs of a Cyber Attack

There are several methods that hackers can try to take your money, but there are even more ways that a breach can cause lasting monetary damage. Here are some of the direct costs that can result from an attack:

Theft & Ransom

While the layers of security protocols in most banks can – for the most part – prevent someone from just walking in and taking your money, there are plenty of techniques for committing identity theft and wire fraud, with the average loss per victim being $100,000 in 2020. Many cybercriminals have switched over to ransomware to effectively cut out the middleman and put the pressure directly on the victim, with the average payment ranging from about $200,000 to $2 million, depending on the industry – and often, gangs will commit to double extortion or just steal and copy the data anyway.

Remediation & Notification

Post-breach activities altogether represent the greatest average cost of a cyber attack, many of which are required by law, depending on the state or industry your business is in. This includes notifying stakeholders, which can include consumer reporting agencies, and offering identity theft and other recuperation services to your customers.

Data Recovery

Data loss and recovery costs will come from multiple sources and thus can vary wildly, averaging from $150 to over $300 per record, rising higher in industries such as healthcare. Everything from restoration to remediation will bring a base expense that can grow exponentially the more damage is done – for ransomware alone, this averages at about $2 million, and victims typically do not get all of their data back.

Compliance

Regulatory compliance – or more specifically, noncompliance – can generate additional costs beyond the notification and recovery expenses. Instances of nonconformance can generate heavy fines that reach millions of dollars for industries like financial services.

Cyber Insurance Rates

Cyber insurance premiums rose between 50% to 100% in 2021 as providers kept pace with the growing rate of cyber attacks, and rates will more than likely climb for victims of a breach.

Indirect & Potential Costs of a Cyber Attack

While direct cost averages are already devastating, indirect costs of cyber attacks actually represent a big chunk of the damages that most businesses face after being breached. Here are some examples of the potential losses that can arise:

Business Lost to Downtime

Every hour your business is down while responding to a cyber incident represents a significant loss of productivity, adding to the growing deficit brought on by other breach expenses. Estimates are that small businesses will lose around $28,000 while shut down on average.

Reputational Damage

The fallout from being hacked and losing control of the data you have collected will extend to your customers and partners, who now have to bear the consequences of their own information being exposed without any direct input on their part. This can lead to losing even more business, with SMBs facing average costs of $8000 from reputational damage alone.

Loss of Intellectual Property

Valuable intellectual property data that is compromised during a breach can generate considerable potential long-term losses as hackers can disseminate the IP to competitors around the world. Resulting litigation only adds to the ultimate cost as legal fees mount up over time.

Future Cybersecurity Investment

A somewhat ironic after-effect of many breaches is that those companies quickly opted to begin investing in better cybersecurity, quite often because it was mandated by state and industry regulations. While an improvement, when coupled with the expenses of the initial cyber attack, it makes for a very expensive lesson learned when the alternative was much cheaper.

The Cost of Defending Against Cyber Attacks

Averages vary, but the total direct cost of a cyber attack among SMBs is reported to be around $25,000; companies with less than 10 employees fell between a median of $8000 to $308,000 while those with less than 50 saw a range of $12,000 to $285,000. However, as much as 67% of small business victims were breached multiple times, so these numbers could go up as much as double or higher within a single year.

Cybersecurity investments have long been considered expensive, with annual costs for a full setup going above $50,000 on-premise and $30,000 for cloud security, but generate significant savings over time when compared to the potential losses above.

Doing Nothing is More Expensive in Cybersecurity

With the probability of an SMB being hacked growing every year, it is ever statistically likely that your business will be faced with an attempted intrusion. If you have no network security in place, your team will need to ask yourselves the hard question – how much of any (or all) of the costs listed above will your company be able to absorb in the event of a cyber attack? If the answer is anywhere close to “none,” then you need to consider investing in a cybersecurity strategy ASAP.”

Seven Hidden Costs of a Cyberattack

According to excerpts from a phenomenal article by Deloitte, they wrote, “There are many ways a cyberattack can affect—and cost—an organization, and the impacts will vary depending on the nature and severity of the event.

Common perceptions, however, are mostly shaped by what companies are required to report publicly—primarily theft of personally identifiable information (PII), payment data, and personal health information (PHI). Discussions tend to focus on costs related to customer notification, credit monitoring, and the possibility of legal judgments or regulatory penalties. 

Rarely brought into full view, however, are cases of intellectual property (IP) theft, espionage, data destruction, attacks on core operations, or attempts to disable critical infrastructure. Beneath the surface, these attacks can have a much more significant impact on organizations and lead to additional costs that are both more difficult to quantify and often hidden from public view.

Below the surface costs

Overall, the cyber report identified 14 business impacts of a cyber incident as they play out over a five-year incident response process—seven direct and seven hidden costs. For the intangible costs, various financial modeling techniques were used to estimate the damage (see “Assigning value to intangible losses”). And the research showed that the direct costs commonly associated with data breaches were far less significant than the “hidden” costs. In fact, in Deloitte’s scenarios, they accounted for less than 5 percent of the total business impact.

Given that impact, CFOs should be aware of the following seven hidden costs:

  • Insurance premium increases.  Insurance premium increases are the additional costs an insured entity might incur to purchase or renew cyber risk insurance policies following a cyber incident. There is little public data available on actual premium increases following cyberattacks. Deloitte conducted informal research among leading providers of cyber insurance and found that it is not uncommon for a policyholder to face a 200 percent increase in premiums for the same coverage, or possibly even be denied coverage until stringent conditions are met following a cyber incident. 

According to our sources, factors that influence future costs may include: a willingness and depth of information provided by the policyholder upon review of the incident; the policyholder’s plans to improve incident handling or other aspects of its security program; anticipated litigation; and assumptions concerning the company’s level of cybersecurity “maturity.” 

  • Increased cost to raise debt. Increased cost to raise debt occurs when, as a result of a drop in credit rating, the victim organization faces higher interest rates for borrowed capital, either when raising debt or when renegotiating existing debt.

Organizations appear to be perceived as higher-risk borrowers during the months following a cyber incident. Deloitte observed that, in the short term, the credit rating of agencies was typically downgraded by one level after a cyber incident. 

  • Operational disruption or destruction. The Impact of operational disruption or destruction is a highly variable cost category that includes losses tied to the manipulation or alteration of normal business operations and costs associated with rebuilding operational capabilities. 

This could include the need to repair equipment and facilities, build temporary infrastructure, divert resources from one part of the business to another, or increase current resources to support alternative business operations to replace the function of systems that have been temporarily shut down. It could also include losses associated with the inability to deliver goods or services. 

  • Lost value of customer relationships. During an initial period immediately following a breach, it can be hard to track and quantify how many customers are lost. Economists and marketing teams approach this challenge by attaching a “value” to each customer or member to quantify how much the business must invest to acquire that customer or member. 

They then look at the likely revenue that this one customer or member will generate for the business over time. These numbers can then be evaluated per industry and particular organization to estimate how much investment is needed to attract and acquire new customers.

  • Value of lost contract revenue. The value of lost contract revenue includes revenue and ultimate income loss, as well as lost future opportunities associated with contracts that are terminated as a result of a cyber incident. 

Following a cyberattack, if the subject company were to lose contracts, it was assumed there would be a decrease in revenues. Then the present value of cash flows that the company would earn over the term of the contracts was determined.

  • Devaluation of trade name. Devaluation of a trade name is an intangible cost category referring to the loss in value of the names, marks, or symbols an organization uses to distinguish its products and services. A brand name is associated with the name of a specific company or a specific product, whereas a trade name relates to an organization as a whole. 

To determine the financial impact of a cyber incident on the value of a company’s trade name, the likely value of the trade name both before and after the cyber incident has to be assessed. To value the trade name itself, Deloitte employed the relief-from-royalty method. The relief-from-royalty method, commonly used to value IP assets such as trade names, estimates the value by analyzing what another entity would have to pay to license the company’s trade name. 

  • Loss of intellectual property. Loss of IP is an intangible cost associated with loss of exclusive control over trade secrets, copyrights, investment plans, and other proprietary and confidential information that can lead to loss of competitive advantage, loss of revenue, and lasting and potentially irreparable economic damage to the company. 

Types of IP include, but are not limited to, patents, designs, copyrights, trademarks, and trade secrets. Unlike other types of IP, trade secrets are protected indefinitely until publicly disclosed. Similar to the value of a trade name, the value of IP is estimated by approximating how much another party would pay to license that IP.”

How Small Businesses Can Guard Against Cyber Attacks

According to excerpts from an article by DocuSign, they wrote, “Some independent business owners have the misguided impression that they’re too small to catch the attention of hackers or other bad players. No organization can be completely immune from the increasing number of malware, phishing, and other malicious online behavior. In fact, IBM Security studied 550 organizations impacted by data breaches throughout a year-long timeframe ending last March and found 83 percent of them had suffered more than one data breach.

A recent Provident Bank survey found just half of small business owners are fully prepared for a cyber attack. Interestingly, just as many respondents said they were concerned about cyber security and thought about it on a daily basis.

Business owners can turn those concerns into a strong offense by taking measures to protect their data during a time when both the cost and frequency of cyberattacks are rising. In this blog, we’ll share some tips and best cybersecurity practices.

Educate your employees

More than 80 percent of data breaches are caused by human error. Mistakes happen, but when your company’s data is compromised due to a breach, the implications can be significant. Security breaches can weaken customer trust, your brand’s reputation, and your bottom line. That’s why it’s important to ensure employees are trained to follow best practices (including safe browsing habits), recognize and flag suspicious emails, and protect customer data.

If you’re not in a position to personally train employees, there are many resources and online courses you can take advantage of to help them understand and recognize risks.

Use and update security software

Some small businesses are reluctant to invest in online security because they think they can’t afford it. But the consequences of inaction can be even more costly, with U.S. security breaches across all industries averaging $9.44 million–each.

Securing your network and installing antivirus software is one way of keeping your data safe. Ensure all of your work-issued computers are equipped with a firewall and that the latest software updates have been installed. Antivirus software is proven to prevent malicious attacks and is one of the best lines of defense against bad players.

Protect customer data

Securing and backing up customer data should be a vital part of your cybersecurity strategy.  You can safeguard customer data by:

  • Ensuring access is restricted only to employees who need it
  • Encrypting data to protect it from hackers
  • Checking to confirm the customer relationship management software you’re using is reliable and trusted
  • Limiting the amount of data stored to the essentials

To safeguard your customer data against any breaches, ensure cloud applications are configured in a secure manner before using them to back them up. Using secure cloud-based management systems will also safeguard your files in the event a computer is lost or damaged.

Practice Zero Trust

It’s natural to be trusting, but when it comes to online security, it’s best to put those instincts aside and exercise skepticism. The zero trust model to cybersecurity is an approach that requires businesses to validate each stage of their online interactions. Examples include multi-factor authentication, utilizing access models, following least-privilege, limiting access points for attackers, and utilizing artificial intelligence to identify attacks quickly.

This airtight approach might seem extreme, but the growing prevalence of online attacks is prompting a growing number of businesses to embrace it.  It’s important to note that just 41 percent of the targeted organizations included in the IBM study used a zero trust security system; the remaining 59 percent of organizations did not and as a consequence incurred more than $1 million in additional losses than targeted companies that did incorporate the zero trust model.

Investigate alternative password options

Your business could tighten its email security by rolling out password requirements to ensure email accounts are protected by unique codes that are changed on a regular basis. Or, you could take passwords out of the equation entirely.

Passwordless authentications are gaining traction as a way to securely verify user identity. Some companies are using one-time passwords sent to registered devices, two-factor authentication, and even biometrics such as fingerprints or facial recognition.”

 At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.

Every single device that connects to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.

Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.

To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca

Categories
Archives